Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
Smithy
Cirrostratus
Cirrostratus

To get the APM Cookbook series moving along, I’ve decided to help out by documenting the common APM solutions I help customers and partners with on a regular basis.

Kerberos SSO is nothing new, but seems to stump people who have never used Kerberos before. Getting Kerberos SSO to work with APM is straight forward once you have the Active Directory components configured.

Overview

I have a pre-configured web service (IIS 7.5/Sharepoint 2010) that is configured for Windows Authentication, which will send a “Negotiate” in the header of the “401 Request for Authorization”. Make sure the web service is configured to send the correct header before starting the APM configuration by accessing the website directly and viewing the headers using browser tools.

In my example, I used the Sharepoint 2010/2013 iApp to build the LTM configuration. I’m using a single pool member, sp1.f5.demo (10.10.30.2) listening on HTTP and the Virtual Server listening on HTTPS performing SSL offload.

0151T000003d68PQAQ.png

Step 1 - Create a delegation account on your domain

1.1 Open Active Directory Users and Computers administrative tool and create a new user account.

  • User logon name: host/apm-kcd.f5.demo
  • User logon name (pre-Windows 2000): apm-kcd
  • Set the password and not expire

0151T000003d68QQAQ.png

1.2 Alter the account and set the servicePrincipcalName. Run setspn from the command line:

  • setspn –A host/apm-kcd.f5.demo apm-kcd

0151T000003d68RQAQ.png

A delegation tab will now be available for this user.

Step 2 - Configure the SPN

2.1 Open Active Directory Users and Computers administrative tool and select the user account created in the previous step.

  • Edit the Properties for this user
  • Select the Delegation tab
  • Select: Trust this user for delegation to specified services only
  • Select: Use any authentication protocol
  • Select Add, to add services.
  • Select Users or Computers…
  • Enter the host name, in my example I will be adding HTTP service for sp1.f5.demo (SP1).

0151T000003d68SQAQ.png

  • Select Check Names and OK

0151T000003d68TQAQ.png

  • Select the http Service Type and OK

0151T000003d68UQAQ.png

2.2 Make sure there are no duplicate SPNs and run setspn –x from the command line.

0151T000003d68VQAQ.png

Step 3 - Check Forward and Reverse DNS

DNS is critical and a missing PTR is common error I find when troubleshooting Kerberos SSO problems.

From the BIG-IP command line test forward and reverse records exist for the web service using dig:

# dig sp1.f5.demo

;; QUESTION SECTION:

;sp1.f5.demo. IN A

;; ANSWER SECTION:

sp1.f5.demo. 1200 IN A 10.10.30.2

# dig -x 10.10.30.2

;; QUESTION SECTION:

;2.30.10.10.in-addr.arpa. IN PTR

;; ANSWER SECTION:

2.30.10.10.in-addr.arpa. 1200 IN PTR sp1.f5.demo.

Step 4 - Create the APM Configuration

In this example I will use a Logon Page to capture the user credentials that will be authenticated against Active Directory and mapped to the SSO variables for the Kerberos SSO.

4.1 Configure AAA Server for Authentication

Access Policy >> AAA Servers >> Active Directory >> “Create”

Supply the following:

  • Name: f5.demo_ad_aaa
  • Domain Name: f5.demo
  • Domain Controller: (Optional – BIG-IP will use DNS to discover if left blank)
  • Admin Name and Password

Select “Finished" to save.

0151T000003d68WQAQ.png

 

4.2 Configure Kerberos SSO

Access Policy >> SSO Configurations >> Kerberos >> “Create”

Supply the following:

  • Name: f5.demo_kerberos_sso
  • Username Source: session.sso.token.last.username
  • User Realm Source: session.ad.last.actualdomain
  • Kerberos Realm: F5.DEMO
  • Account Name: apm-kcd (from Step 1)
  • Account Password & Confirm Account Password (from Step1)

Select “Finished” to save.

0151T000003d68XQAQ.png

4.3 Create an Access Profile and Policy

We can now bring it all together using the Visual Policy Editor (VPE).

Access Policy >> Access Profiles >> Access Profile List >> “Create”

Supply the following:

  • Name: intranet.f5.demo_sso_ap
  • SSO Configuration: f5.demo_kerberos_sso
  • Languages: English (en)
  • Use the default settings for all other settings.

Select “Finished” to save.

0151T000003d68YQAQ.png

0151T000003d68ZQAQ.png

4.4 Edit the Access Policy in the VPE

Access Policy >> Access Profiles >> Access Profile List >> “Edit” (intranet.f5.demo_sso_ap)

On the fallback branch after the Start object, add a Logon Page object.

  • Leave the defaults and “Save”.

0151T000003d68aQAA.png

On the fallback branch after the Logon Page object, add an AD Auth object.

  • Select the Server

0151T000003d68bQAA.png

  • Select “Save” when your done.

0151T000003d68cQAA.png

On the Successful branch after the AD Auth object, add a SSO Credential Mapping object.

0151T000003d68dQAA.png

  • Leave the defaults and “Save”.

 

On the fallback branch after the SSO Credential Mapping, change Deny ending to Allow. The finished policy should look similar to this:

0151T000003d68eQAA.png

Don't forget to “Apply Access Policy”.

 

Step 5 – Attach the APM Policy to the Virtual Server and Test

5.1 Edit the Virtual Server

Local Traffic >> Virtual Servers >> Virtual Server List >> intranet.f5.demo_vs

Scroll down to the Access Policy section and select the Access Profile.

0151T000003d68fQAA.png

Select “Update” to save.

5.2 Test

Open a browser, access the Virtual Server URL (https://intranet.f5.demo in my example), authenticate and verify the client is automatically logged on (SSO) to the web service. To verify Kerberos SSO has worked correctly, check /var/log/apm on APM by turning on debug. You should see log events similar to the ones below when the BIG-IP has fetched a Kerberos Ticket.

info websso.1[9041]: 014d0011:6: 33186a8c: Websso Kerberos authentication for user 'test.user' using config '/Common/f5.demo_kerberos_sso'
debug websso.1[9041]: 014d0018:7: sid:33186a8c ctx:0x917e4a0 server address = ::ffff:10.10.30.2
debug websso.1[9041]: 014d0021:7: sid:33186a8c ctx:0x917e4a0 SPN = HTTP/sp1.f5.demo@F5.DEMO
debug websso.1[9041]: 014d0023:7: S4U ======> ctx: 33186a8c, sid: 0x917e4a0, user: test.user@F5.DEMO, SPN: HTTP/sp1.f5.demo@F5.DEMO
debug websso.1[9041]: 014d0001:7: Getting UCC:test.user@F5.DEMO@F5.DEMO, lifetime:36000
debug websso.1[9041]: 014d0001:7: fetched new TGT, total active TGTs:1
debug websso.1[9041]: 014d0001:7: TGT: client=apm-kcd@F5.DEMO server=krbtgt/F5.DEMO@F5.DEMO expiration=Tue Apr 29 08:33:42 2014  flags=40600000
debug websso.1[9041]: 014d0001:7: TGT expires:1398724422 CC count:0
debug websso.1[9041]: 014d0001:7: Initialized UCC:test.user@F5.DEMO@F5.DEMO, lifetime:36000 kcc:0x92601e8
debug websso.1[9041]: 014d0001:7: UCCmap.size = 1, UCClist.size = 1
debug websso.1[9041]: 014d0001:7: S4U ======> - NO cached S4U2Proxy ticket for user: test.user@F5.DEMO server: HTTP/sp1.f5.demo@F5.DEMO - trying to fetch
debug websso.1[9041]: 014d0001:7: S4U ======> - NO cached S4U2Self ticket for user: test.user@F5.DEMO - trying to fetch
debug websso.1[9041]: 014d0001:7: S4U ======> - fetched S4U2Self ticket for user: test.user@F5.DEMO
debug websso.1[9041]: 014d0001:7: S4U ======> trying to fetch S4U2Proxy ticket for user: test.user@F5.DEMO server: HTTP/sp1.f5.demo@F5.DEMO
debug websso.1[9041]: 014d0001:7: S4U ======> fetched S4U2Proxy ticket for user: test.user@F5.DEMO server: HTTP/sp1.f5.demo@F5.DEMO
debug websso.1[9041]: 014d0001:7: S4U ======> OK!

Conclusion

Like I said in the beginning, once you know how Kerberos SSO works with APM, it’s a piece of cake!

Comments
Mike_61663
Cirrus
Cirrus
Nice article Brett. The only other step that I'd add is to ensure that you have NTP enabled on your BIG-IP and your AD Controller. If the times are out of sync then you'll run in to all sorts of problems.
AP_129594
Nimbostratus
Nimbostratus
I am running into a situation to allow internal users to pass kerberos authentication to the SAML resource, but external is via AD auth. Base on the log, the kerberos id is user1@company.com, is there a way that I can trim to just user1 ?
AP - yes, you can - there are many ways to do that. Probably one of the easiest is to do AD Query right after successful Kerberos Auth and put the following into the search filter:

 

 

userPrincipalName=%{session.logon.last.username}

 

 

That will retrieve the entire AD object for the user that has authenticated via Kerberos, and you will be able to use samAccountName attribute in your SAML assertion(which will effectively have their account name without the domain in it.
shsingh
F5 Employee
F5 Employee
agree with Mike... 99% of Kerberos issues relate to DNS and NTP... as Kerberos is a time sensitive protocol, and DNS is imperative for the SRV records for the KCDs to be found in your Active Directory
whswhswhs124_98
Nimbostratus
Nimbostratus
'
0_171810
Nimbostratus
Nimbostratus
To Michael Kyofman response, I can't use AD query to pick the userPrincipalName because the Windows team has a different hostname from the fqdn. I have to assign a variable and trim everything after @domain.com. This variable assign seem to work because my session ID is USER1 instead of USER1@domain.name. I have tried everything on the assertion subject value , but nothing work. Please email tcoolhon .at. gmail.com
David_buffa_223
Nimbostratus
Nimbostratus
hi brett, great subject!!! just one question: SP1 (10.10.30.2) is pool member or virtual server ? thks for help
Smithy
Cirrostratus
Cirrostratus
SP1 is the pool member
Smithy
Cirrostratus
Cirrostratus

A few updates.

 

In Section 4.2:

 

KDC - Leave Blank, but be aware of https://support.f5.com/kb/en-us/solutions/public/16000/400/sol16483.html

 

Account Name: use host/apm- instead of the sAMAccountName

 

Mulham_171271
Nimbostratus
Nimbostratus

hi Bret,

 

Great guide ! could you please detail the last step in 2.1, it says "Enter the host name, in my example I will be adding HTTP service for sp1. (SP1)."

 

So what exactly is this SP1? is it a user you created earlier or what

 

Thanks a lot

 

The-messenger
Cirrostratus
Cirrostratus

Looking at your guide, and Kerberos SSO, for the first time. I haven't seen AD account creation with an account starting with a slash, please explain. Am I missing something too obvious?

 

What is the significance of "host/" in the account name? Should "host/" be the first part of the account name? Is "host" representative of another value or is this literal?

 

Smithy
Cirrostratus
Cirrostratus

Hi Mulham,

 

In my example, sp1. was a Sharepoint site.

 

Cheers,

 

Brett

 

Smithy
Cirrostratus
Cirrostratus

Hi The-messenger,

 

The user logon name needs to be in the Service Principal Name (SPN) form: https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx

 

Cheers,

 

Brett

 

RiverFish
Altostratus
Altostratus

Most intranet sites don't require you to type in credentials. Won't the "Logon Page" prompt for creds? I thought the whole point of kerberos was to provide seamless authentication. Guess I'm missing something.

 

Smithy
Cirrostratus
Cirrostratus

Hi RiverFish,

 

This is for the remote access use case to an internal site providing secure authentication and SSO.

 

Cheers,

 

Brett

 

RiverFish
Altostratus
Altostratus

Roger that. We have an internal site that has seamless auth. When we put it behind the F5 the auth broke. Using APM, how would I continue the seamless auth? Using chrome tools I see:

 

Server response: HTTP/1.1 401 Unauthorized Content-Type: text/html Server: WWW-Authenticate: Negotiate WWW-Authenticate: NTLM Client reply: Authorization:Negotiate YIIMjgYGKwYBBQ....

From what I've read the "Y" in the client reply indicates kerberos. Can you provide a link to guide me in the right direction? From what I've seen you can start the VPE off with a "Client Cert Inspection" or a "HTTP 401 Response". I believe we have the ability to do both. Which one is better. Thanks for your time.

 

Smithy
Cirrostratus
Cirrostratus

Hi RiverFish,

 

If this is an internal site check your SPN and IIS is configured correctly: https://blogs.technet.microsoft.com/askds/2011/08/09/kerberos-and-load-balancing/

 

No APM required.

 

Cheers,

 

Brett

 

OM
Nimbostratus
Nimbostratus

Hi,

 

how do you manage the PTR when you have multiple spn. say, we have and , how does F5 make a diffrence between them if they both share the same IP address and of course the same PTR.

 

thanks.

 

O.

 

Smithy
Cirrostratus
Cirrostratus

Sounds like you need to set the "SPN Pattern" on the Kerberos SSO configuration. From the APM help page:

 

  • HTTP/%h@REALM with REALM replaced by the actual realm name as specified in the Kerberos Realm field. The %h option takes the hostname from the HTTP request Host header. For example, from this header, Host: , %h is replaced with . The %h option is useful for multi-homed web servers (when multiple hosts use a single IP address) to avoid issues with DNS reverse lookup.
  • HTTP/%s@REALM with REALM replaced by the actual realm name as specified in the Kerberos Realm field. The %s option takes the hostname discovered through reverse DNS lookup using the server IP address.

Also have a look at: https://devcentral.f5.com/s/feed/0D51T00006i7ZhkSAE

 

Martin_Kylian_1
Nimbostratus
Nimbostratus

Hi, this works perfectly. What if i need a client to do the kerberos auth and the APM do the krb SSO. Can you describe how to configure it correctly Brett?

 

Smithy
Cirrostratus
Cirrostratus

Hi Martin,

 

Best place to start is here: https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-o...

 

You need to configure Kerberos Auth on the Client side and KCD SSO (this article) for server side.

 

Sounds like I need to write another article with a Kerberos Auth example when I get time. 🙂

 

Martin_Kylian_1
Nimbostratus
Nimbostratus

Hi Brett, thanks, I think I've done the AAA krb auth right.

 

Ending up with this

 

Oct 17 15:54:52 sok5-f5 err websso.3[23639]: 014d0026:3: /Common/pptest2:Common:61e5157b: Could not find SSO username, check SSO credential mapping agent setting Oct 17 15:54:52 sok5-f5 debug websso.3[23639]: 014d0041:7: /Common/pptest2:Common:61e5157b: Could not find SSO domain, using default realm defined for Kerberos SSO object Oct 17 15:54:52 sok5-f5 err websso.3[23639]: 014d0043:3: /Common/pptest2:Common:61e5157b: SSO username is empty - SSO is disabled

I can see the authenticated session. Variable session.logon.last.username by AAA is something like this user@KRB-REALM.ORG. Is the right thought that this should be mapped to be used by SSO (backend krb delegation) to defined variables (session.sso.token.last.username and session.ad.last.actualdomain in this scenario) by SSO credentail mapping? Can you advise me me how to achieve this?

 

Martin_Kylian_1
Nimbostratus
Nimbostratus

Hi, i've solved the trouble. I'll post the solution here.

 

Smithy
Cirrostratus
Cirrostratus

Hi Martin,

 

You can split the user@KRB-REALM.ORG (session.logon.last.username) into seperate variables using TCL or add an AD Query object to the VPE and set the "SearchFilter" to "userPrincipalName=%{session.logon.last.username}". It will populate "session.ad.last.attr.sAMAccountName" and "session.ad.last.actualdomain". Then change the "SSO Credential Mapping" object to use "session.ad.last.attr.sAMAccountName" instead of "session.logon.last.username".

 

Cheers,

 

Brett

 

Martin_Kylian_1
Nimbostratus
Nimbostratus

I have chosen the TCL way. AD query consumes time 🙂

 

Variable assign contains:

 

session.sso.token.last.username = expr { [regsub {(.+\|^)} [mcget {session.logon.last.username}] "" x; set username $x; regsub {(\@.+)} $username "" y; set username $y]}

 

session.ad.last.actualdomain = expr { [regsub {(\.+)} [mcget {session.logon.last.username}] "" x; set username $x; regsub {(.+\@)} $username "" y; set username $y]}

 

This splits the krb username@realm into two variables

 

Version history
Last update:
‎28-Apr-2014 06:16
Updated by:
Contributors